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DETAILED ACTION 

1 . This is in response to the amendment filed June 23, 2009. Claims 1 , 17,33 and 56 have 
been amended. Claims 6, 1 1, 22, 27, 38 and 43 have been cancelled. Claims 1-5, 7-10, 12-21, 
23-26, 28-37, 39-42 and 44-60 are pending and have been considered below. 

Response to Arguments 

2. The 101 rejection regarding claims 1-5, 7-10, 12-21, 23-26, 28-37, 39-42 and 44-60 has 
been withdrawn in light of the amendments to the claims. 

3. Applicant argues, "Applicant respectfully contends that the proposed Berger-Sobel 
combination fails to disclose, teach, or suggest each and every one of these limitations. For 
instance, the Office Action relies on Berger as disclosing adding an entry for the file to a 
database of known good software if the quantitative information exceeds a predetermined value. 
Office Action, pg. 4. Applicant respectfully disagrees. Berger is directed toward a method of 
detecting potentially malicious action of a potentially unsafe application. Belier, Abstract. While 
server system 130 may be "updated to reflect that a potentially unsafe application is now a 
known safe application or a known unsafe application," there is no teaching, disclosure, or 
suggestion that this update is performed "if the quantitative information exceeds a predetermined 
value." The examiner respectfully disagrees and submits that Berger teaches when detecting a 
potential unsafe file(unknown file), the file is sent to sandbox for further analyzing and 
processing based on the result of the further processing in the sandbox server the local database 
are updated. The examiner notes that the further processing of the file is time consuming which 
could take a couple of second to a couple of minutes. The examiner also notes that a 
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predetermined time can be any amount of time , therefore the examiner submits that Berger 
teaches a step of adding an entry for the file to a database of known good software if the 
quantitative information exceeds a predetermined value(see paragraphs [001 1 J, 47, [0052], 
[0061, [0068], [0074]). 

4. Applicant also argues that" he cited portions of Sobel similarly fail to disclose, teach, or 
suggest determining a number of times the file has been opened or the number of times an 
executable in the file has been executed. For at least these reasons, Applicant respectfully 
contends that Sobel fails to disclose, teach, or suggest the quantitative information required by 
Claim 56. Therefore, Applicant respectfully requests reconsideration and allowance of Claim 56 
Applicant respectfully contend that Sobel fails to disclose, teach, or suggest the quantitative 
information required by Claim 56. Therefore, Applicant respectfully requests reconsideration and 
allowance of Claim 56", the examiner submit the newly found references to Dutta et al (US 7, 
539,664) discloses the quantitative information (column 9, lines 34-43).In addition Liang ct al 
US 2004/0205419 teaches the quantitative information (see paragraphs [0016], [0035], [00048], 
[0051], [0052]). 

Claim Rejections - 35 USC § 101 

5. The 35 U.S.C. 101 rejections to claims 1-10, 12-169 49, 50, 52, 53 and 56-60 have been 
withdrawn in light of the amendment to the claims. AOpplicant amended claim 33 the recite the 
limitation of a tangible computer storage medium. The examiner notes that putting the world 
tangible in front of the storage medium does not overcome the 101, the examiner also notes that 
there is no antecedent basis for the term storage medium in the specification, therefore examiner 
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suggest the used of "program storage device". The 101 rejection to claims 33-37, 39-42, 44-48, 
54 and 55 has been maintained. 

Claim Rejections - 35 USC §103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 56-60 are rejected under 35 U.S.C. 103(a) as being unpatentable over Berger (US 
2004/01231 17) in view of Duttaetal (US 7,539,664). 

Claim 56: Berger discloses a method for computer security, comprising: 
identifying a file(paragraph [0084]); 

i. determining whether an entry for the file exists in database of unfamiliar 
software(7/7/ze application characteristic doesn't match either a known safe 
application characteristic or a known unsafe application characteristic, a 
determination is made in operation 208 that the potentially unsafe application is 
an unknown application) (paragraph [0047]; Fig. 3, steps 314-320); 

ii. adding an entry for the file to a database of known good software if the 
quantitative information exceeds a predetermined value///" application is safe or 
unsafe operation 320, flow moves to an update local configuration operation 322. 
In update local configuration operation 322, the local configuration, e.g., 
application characteristics, on server system 130 is updated to reflect that the 
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potentially unsafe application is now a known safe application or a known unsafe 
application ) (paragraphs [0068], [0081 J); and 

iii. allowing the opening of the file to continue if the database of known good 

software includes the entry for the file(paragraph[0084]). 
Berge does not explicitly discloses determining quantitative information regarding the 
file, the quantitative information selected from the group consisting of a length of time 
the entry has been in the database of unfamiliar software, a number of times the file has 
been opened, and a number of times an executable in the file has been executed. 
However Dutta et al discloses a method for operating a rating server, which determining 
quantitative information regarding the file, the quantitative information selected from the 
group consisting of a length of time the entry has been in the database of unfamiliar 
software, a number of times the file has been opened, and a number of times an 
executable in the file has been executed (the search result post-processor can monitor 
and record or log the number of times that a general file is opened or the number of times 
that an executable file has been executed. The search result post-processor could also 
monitor how long a file is kept before it is deleted (or moved) (column 9, lines 34-43). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teaching of Berger such as to use quantitative 
information. The motivation of doing so would have been to improve the performance of 
malicious computer code detection as taught by Dutta et al (column 1, lines 5-10). 
Claim 57: Berger and Dutta et al disclose the method as in claim 56 above, and Burger 
further discloses a step of removing the entry for the file from the database of unfamiliar 
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software if the quantitative information exceeds a predetermined value(paragraph [0084]: 



Claim 58: Berger and Dutta et al disclose the method as in claim 56 above, and Burger 



further discloses a step of preventing the opening of the file to continue if: 
the database of known good software does not include the entry for the 
file(terminating)(paragraph [0049]); and 

the file attempts a suspicious activity(deleting a file)(paragraph [0045]). 

Claim 59: Berger and Dutta et al disclose the method as in claim 58 above, and Burger 

further discloses wherein a suspicious activity comprises updating a registry(paragraph 



Claim 60: Berger and Dutta et al disclose the method as in claim 58 above, and Burger 
further discloses wherein a suspicious activity comprises opening a second file(paragraph 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Fatoumata Traore whose telephone number is (571) 270-1685. 
The examiner can normally be reached Monday through Thursday from 7:00 a.m. to 4:00 p.m. 
and every other Friday from 7:30 a.m. to 3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nassar G. Moazzami, can be reached on (571) 272 4195. The fax phone number for 
Formal or Official faxes to Technology Center 2100 is (571) 273-8300. Draft or Informal faxes, 



Fig 2). 



[0033]). 



[0033]). 



Conclusion 
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which will not be entered in the application, may be submitted directly to the examiner at (571) 
270-2685. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the Group Receptionist whose telephone number is (571) 272-2100. 

Wednesday, October 14, 2009. 
/F. T./ 

Examiner, Art Unit 2436 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



